Wednesday, September 10, 2008

Thought experiment

Economists say, incentives matter.

Here's a thought experiment -

What if we did away with all the security regulations and rules. No more GLBA security rules, no more HIPAA privacy, etc. And for contracts and b2b relationships, no more SAS-70's, no more PCI, no more ISO certifications.

Just one new rule - each person who's confidential information is breached gets a cash settlement. For example, your credit card ended up with some hackers. Here's $250. And if we didn't warn you or tried to cover it and you later found about it the hard way... well, now we gotta pay you $2500.

That's it. Let each organization figure out how to secure themselves and what the trade-offs are. Next step in my hypothetical world - organizations would need to post bonds or have insurance to make sure they can pay people off when breached. And then the insurance companies will come up with criteria for good controls. And with all the payoffs, they'll be able to build actuarial tables to see what works, what doesn't.



Aviatrix said...

It might encourage people who wanted short-term cash to treat their own credit cards with poor security.

Author, Planet Heidi said...

Hmm, maybe I wasn't clear. The money would from the merchant breaching the data. The only moral hazard that would entrap the card holder is that they would be less discriminating with who they were doing business with. But IMHO, the average person already is indiscriminate about who they give their card to. The goal is to force the merchants to be more secure, not in a heavy handed way (aka PCI) but in a more useful risk-reward tradeoff fashion.